Microsoft Leaves Necurs Botnet in Shambles

By Richard Adhikari
Mar 13, 2020 4:00 AM PT

Microsoft this week announced the success of its efforts, jointly undertaken with partners across 35 countries, to disrupt the Necurs botnet group blamed for infecting more than 9 million computers globally.

There are 11 botnets under the Necurs umbrella, all apparently controlled by a single group, according to Valter Santos, security researcher at
Bitsight, which worked with Microsoft on the takedown. Four of those botnets account for about 95 percent of all infections.

"Necurs is the named exploit that is most consistently used," said Rob Enderle, principal analyst at the Enderle Group.

The U.S. District Court for the Eastern District of New York last week issued an
order enabling Microsoft to take control of the U.S.-based infrastructure Necurs uses to distribute malware and infect victim computers.

Microsoft figured out the new domains Necurs would generate algorithmically and reported them to respective registries worldwide so they could be blocked.

Microsoft also is partnering with ISPs, domain registries, government CERTs and law enforcement in various countries to help flush malware associated with Necurs from users' computers.

The botnet activity stalled this month, but about 2 million infected systems remain, waiting in a dormant state for Necurs' revival.

These systems "should be identified and rebuilt" to avoig leaving them susceptible to Necurs or another botnet, Enderle told TechNewsWorld.

"They could do a lot of damage if they aren't found in time," he said.

"Microsoft is one of the few companies going after the bad actors and not just addressing the point security problems," Enderle noted. "Until the world becomes aggressive with bringing the bad actors to justice, we will continue to be at risk of a worldwide catastrophic computer event. This problem needs to be solved at the source."

The Long Arm of Necurs

Necurs is one of the largest networks in the spam email threat ecosystem.

During one 58-day period in the Microsoft-led investigation, a single Necurs-infected computer sent a total of 3.8 million spam emails to more than 40.6 million potential victims, noted Microsoft Corporate Vice President Tom Burt.

Necurs first was detected in 2012. It is known primarily as a dropper for other malware, including GameOver Zeus, Dridex, Locky and Trickbot, Bitsight's Santos said.

Its main uses have been as a spambot -- a delivery mechanism for pump-and-dump stock scams, fake pharmaceutical spam email, and Russian dating scams. It also has been used to attack other computers on the Internet, steal credentials for online accounts, and steal people's personal information and confidential data.

The botnet is known for distributing financially targeted malware and ransomware, as well as for cryptomining. It has a DDoS (distributed denial of service) capability, although that has not been activated.

From 2016 to 2019, Necurs was responsible for 90 percent of the malware spread by email worldwide, according to BitSight's Santos.

"Necurs is essentially an operating system for delivering bad stuff to infected machines," said Mike Jude, research director at IDC.

"By itself, it isn't really threatening," he told TechNewsWorld. "It's more like an annoying bit of code that works at the root level. But the stuff it can deliver or activate can be devastating."

The Necurs operators also offer a botnet-for-hire service, selling or renting access to infected computer devices to other cybercriminals.

Necurs is believed to be the work of criminals based in Russia.

How Necurs Works

Necurs' developers implemented a layered approach for infected systems to communicate with its command-and-control servers through a mixture of a centralized and peer-to-peer communication channels, BitSight found.

Necurs communicates with its operators primarily through an embedded list of IPs, and occasionally through static domains embedded in the malware sample. It also can use domain generation algorithms.

A dummy DGA produces domains to be used to see if the malware is running in a simulated environment. A second DGA fetches hard-coded .bit domains.

The .bit top-level domain is an alternative DNS model, maintained by Namecoin, that uses a blockchain infrastructure and is more difficult to disrupt than ICANN-regulated TLDs, Santos said.

If none of the other methods can get an active C&C server, the main DGA kicks in. It produces 2,048 possible C2 domains every four days across 43 TLDs, including .bit, based on the current date and a seed hardcoded in the binary. All domains are tried until one resolves and responds using the correct protocol.

If all the above methods fail, the C&C domain is retrieved from the always-on P2P network, which acts as the main channel to update C&C servers. An initial list of about 2,000 peers is hardcoded in the binary, but it can be updated as needed. The peers in the list are known as "supernodes" -- victim systems with elevated status within the infrastructure.

Further, the malware uses an algorithm that converts the IP addresses received through DNS to its servers' real IP addresses.

The C&C infrastructure is tiered, with multiple layers of C&C proxies, to make discovery even more difficult.

The first tier of C&C servers consists of cheap virtual private servers in countries such as Russia and the Ukraine. They reverse-proxy all communications to the second-tier C&C servers, which typically are hosted in Europe, and sometimes in Russia. The communications proceed further up the chain until they finally reach the back end.

On normal days of Necurs' operation, BitSight detected fewer than 50,000 infected systems daily when there were active C&Cs, and between 100,000 and 300,000 when the C&Cs were inactive.

"The daily unique observations continue to be an underestimate of the true size of the botnet," Santos remarked.

Dropping the Hammer on Necurs

Analyzing Necurs' DGA allowed Microsoft to make accurate predictions of more than 6 million unique domains the botnet group would create over the next 25 months. Its lawsuit and partnerships with various entities will prevent Necurs from registering and using them.

Microsoft "has done a stellar job of taking this version apart -- but these things evolve, and it's likely there will be another iteration if this one becomes more or less neutralized," IDC's Jude observed.

"Code is easy to change and it isn't being developed in a vaccuum," he pointed out. "The people behind this are probably already investigating how Microsoft reverse-engineered their approach and are building that into the next version."

Richard Adhikari has been an ECT News Network reporter since 2008. His areas of focus include cybersecurity, mobile technologies, CRM, databases, software development, mainframe and mid-range computing, and application development. He has written and edited for numerous publications, including Information Week and Computerworld. He is the author of two books on client/server technology.
Email Richard.